Technical Field
The present invention relates to computing system security management, and, more particularly, to enterprise data security management using differential dependency tracking for attack forensics.
Description of the Related Art
Conventionally, enterprises have protected their computing systems by attempting to prevent access of attackers using perimeter defenses (e.g., firewalls, intrusion prevention systems (IPSs), etc.). However, given the sophistication of modern attacks (e.g., drive-by download, phishing emails, contaminated mobile devices, insider attacks, etc.), successful intrusions and compromises are almost unavoidable in an enterprise. For example, there have recently been several high profile data breaches at several large, international corporations. As such, in the real world, the fundamental assumption that enterprise security management may be performed simply by preventing attackers from entering into an enterprise no longer holds true.
Intrusion recovery and intrusion detection have become increasingly used for enterprise security management, and may include, for example, ubiquitous monitoring of devices in an enterprise, backtracking the origin of intrusions, or estimating impact of an attack. With respect to backtracking, once an intrusion is detected, backtracking the intrusion traces the actions of intruders to identify how they entered the system. This helps system administrators identify and patch the root causes of the intrusion and strengthen the enterprise's security.
A key challenge in backtracking is the increasing complexity of modern enterprise systems. The complexity introduces a plethora of dependencies among different components and applications across the enterprise. Conventional systems and methods for backtracking attacks incorrectly filter out certain attack-related events (e.g., removing hub files, removing pipes, removing read-only files, etc.), and are unable to sufficiently reduce the size (e.g., transform/condense received data) of backtracking graphs for effective analysis of the attack, as conventional systems and methods are unable to effectively and accurately detect and/or prune away resources unrelated to attacks to generate an accurate and concise backtracking graph.